[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Disable ZeroConf: how to ?

Hash: SHA512


Am Do den  3. Mär 2011 um 11:25 schrieb Tollef Fog Heen:
> Then just don't use it?  Nobody is forcing you to.
> | And even if you not care about, then that functionality should be
> | explicit configured and not per default.
> That makes it much less useful.  On the other hand, it's not like your
> system will suddenly go around connecting to random services just
> because it sees them announced.

So you contradict yourself within two paragraphs. It makes it less
useful to enable it only on manual intervention (say, it should be
enabled automatic) but on the other hand you say that nobody is forcing
me (or others) to use it. How do that plays together?

> Oh, I quite like services to announce themselves so I can just do ssh
> foo.local.  Not everything gets set up in DNS and ssh caches the host
> key so doing a mitm attack after the initial handshake is prevented.

Not ever service has that security fence.

> Except zeroconf isn't routed so to be able to exploit it you need to be
> on the same physical segment?

Physical might be relative with wireless networks. But you are true,
that isn't routed (good thanks), but that hinders it only from taking
down the whole net.

> If you have found any bugs where network sinks are used automatically
> please file bugs about that.

Oh, there is no change of that as I never ever will use such stuff.

> Really, if you want to disable avahi, please feel free to do so on your
> systems.

That the discussion is about, yes. And the pressure some dependencies
bring in.

> Or use a firewall, or both.

It is told on other places that firewalling is not the solution.

> Debian has a fair balance of functionality, security and convenience
> out of the box,

Unfortunately some people on debian started to place convenience much
higher as security. I think that is a dangerous trend. Debian gives up
more and more security for convenience.

> if you disagree with the current balance, feel free to invest the work
> into making it possible to harden Debian further.

Oh, I did. I am not a DD and involved myself in some discussions about
that. But finally I found out that the force of (some) DDs is higher
than mine and that they misuse it. So I am only able to fix that issues
I have locally and share the hardened packages to others on a private
repository. That is not great but sometimes it is the only workable way.
And it is no easy way.

- -- 
Klaus Ethgen                            http://www.ethgen.ch/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
Version: GnuPG v1.4.11 (GNU/Linux)


Reply to: